PDF malware analysis — malicious · fcb2595a7fc457d9

MALICIOUS

PDF

87.8 KB Created: 2021-08-19 06:17:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)

MD5: d7cd77d166b3a373204329c9a86c2cab SHA-1: f7ea8286fb8e7718683b7fcbd53dec819b828aa3 SHA-256: fcb2595a7fc457d9e964bdf54795a02820fb15619e25d9a15c32e782aaad1a9a

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains numerous links, many pointing to compromised CMS uploads or disposable hosting, suggesting it functions as a link farm. The primary goal appears to be directing users to potentially harmful external websites.

Machine Learning

Nyx PDF Classifier malicious score 0.9982

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://traiteur-ribot.fr/userfiles/file/77405238457.pdf
- http://www.miyadenthai.com/image/upload/File/2187140060.pdf
- http://hytechplus.com/userfiles/file/madexuvidini.pdf
- https://anmimar.com/royal/userfiles/file/53450202273.pdf
- https://aguiapromocional.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1611b8b50e4615---kadufiwudubeluloki.pdf
- https://portsidestrategies.com/wp-content/plugins/super-forms/uploads/php/files/aabf2a3e5d5c772258407b6b7240a669/xesunekixukalo.pdf
- http://triumphtoday.org/wp-content/plugins/formcraft/file-upload/server/content/files/160b9089598288---80043469061.pdf
- https://radio-aurea.eu/files/file/14754447600.pdf
- http://texmet.pl/userimages/file/2938445866.pdf
- https://fairtradeportal.pl/userfiles/file/godagaj.pdf
- http://csc0851.com/userfiles/file/20210818142138_ugdxts.pdf
- https://dailyiat.com/html_upload/file/konevijinafevelazube.pdf
- https://propbrains.com/wp-content/plugins/super-forms/uploads/php/files/eb598db236c510117ac763fe3ce5aaa4/sifobopamomaxevisus.pdf
- http://bidmitt.com/img/files/file/rufinuwamoluzawodenome.pdf
- http://firmykominkowe.pl/Obrazki/edytor/file/14247514045.pdf
- http://hockeydh.com/files/ups/files/puvimarubiz.pdf
- https://facades-et-traditions.com/actualites/file/zejojuvurugolawifok.pdf
- http://www.scmphotography.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16072073376e62---10778986185.pdf
- https://asiarsolutions.com/userfiles/file/simofi.pdf
- https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/ns0kqeerad3fn7lboofto6s6hr/wepavakawomef.pdf
- http://srihemkuntsahibfgp.org/hemkunt/userfiles/file/31465745461.pdf
- http://silesiacapital.eu/data/file/liwafi.pdf
- http://manisafar.com/basefile/marcosafarir/files/suwogufefasonemubutoro.pdf
- https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a128c98cfb1---12386382700.pdf
- http://cleannshieldflorida.com/wp-content/plugins/super-forms/uploads/php/files/9dac913c2d5b40d1ce39887912aecd83/42504656742.pdf
- https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=free+printable+door+name+plate+template
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000f0dc.bin` `ce2943b874e88362c2555396ea161ac339067d933a2cc8049e48023d9a79ebef`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF0DC	10500 bytes
`font_01_sfnt_off00010861.bin` `832ee84e707ae4387f7c4dcdb396d6850bcb524cd3316996364a76cf58da870f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10861	17676 bytes
`font_02_sfnt_off0001368a.bin` `9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1368A	16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.